Phishing and BEC Trends Show Increased Impersonation and Evolving Social Engineering
Threat researchers reported continued growth and diversification in impersonation-driven phishing. Guardio data cited by KnowBe4 identified Microsoft as the most impersonated brand in phishing during Q4 2025, followed by Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase. The activity reportedly surged around high-traffic seasonal moments (e.g., Black Friday “storefront” scams, December delivery scams, and January job-search lures), reflecting attackers’ focus on exploiting predictable user behavior and time-sensitive themes.
Separately, LevelBlue SpiderLabs reported BEC activity increased 15% in 2025 vs. 2024 based on MailMarshal telemetry, averaging 3,000+ BEC messages/month (peaking at 4,300 in July). The report noted seasonal/operational timing effects (e.g., quarter transitions and summer vacation staffing gaps) and highlighted evolving tactics including “contact details swapping,” where attackers impersonate finance teams to “update” official contact information to redirect payments or communications. Together, the reporting indicates sustained growth in impersonation and social engineering as a primary driver of fraud and account compromise risk, with attackers adapting lures to business cycles and consumer seasons.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft ranked most impersonated brand in Q4 2025 phishing
Guardio researchers found that Microsoft was the most commonly impersonated brand in phishing attacks during Q4 2025, followed by Facebook and other consumer, gaming, telecom, and crypto brands. The activity was linked to seasonal scam themes such as holiday shopping, delivery notifications, and January job-hunting lures.
BEC attacks increased 15% during 2025
LevelBlue reported that business email compromise activity rose by 15% in 2025, indicating a year-over-year increase in BEC attacks. The reference does not provide a more specific event date than the year-long trend itself.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and BEC Campaigns Abusing Trusted Platforms and Infrastructure
A wave of **phishing activity** is leveraging trusted brands and legitimate platform features to increase click-through and evade security controls. LinkedIn users are being targeted via fake “reply” comments posted on public threads that impersonate LinkedIn policy enforcement, claim an account violation, and push victims to external credential-harvesting pages. The lures mimic official branding and sometimes use LinkedIn’s own `lnkd.in` shortener to obscure destinations; reported redirect chains include Netlify-hosted pages (e.g., `very1929412.netlify[.]app`) leading to additional domains (e.g., `very128918[.]site`) designed to capture credentials. LinkedIn stated it is aware of the campaign and emphasized it does not communicate policy violations via public comments. Separately, RavenMail reported a large-scale email phishing campaign impacting **3,000+ organizations** (notably manufacturing) that abused **Google infrastructure** to bypass defenses: messages were sent via legitimate Google services, passed **SPF/DKIM/DMARC**, and used trusted Google-hosted URLs and Google Cloud Storage to host payloads and redirectors—without requiring a compromise of Google itself. In parallel trend reporting, LevelBlue SpiderLabs observed **BEC** volume rising **15% in 2025** based on MailMarshal telemetry (averaging 3,000 intercepted BEC messages per month), with evolving social engineering such as “**contact details swapping**,” where attackers impersonate finance teams to “update” official contact information to divert payments or data; this underscores continued attacker focus on impersonation and trust exploitation across both social platforms and email ecosystems.
Mar 21, 2026
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
Mar 21, 2026
Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight **social engineering and phishing** as primary initial-access vectors, with attackers increasingly targeting **identity systems** rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in **Azure Active Directory**, then altered direct-deposit details to redirect paychecks—underscoring how **help-desk processes and MFA reset workflows** can be exploited for persistence and financial theft. Targeted campaigns also show continued evolution in delivery tradecraft for **remote access**. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (`.lnk`) masquerading as a PDF plus scripts and a decoy court document to deploy a **Remote Access Trojan** while minimizing user suspicion. In parallel, research described **Pulsar RAT** (a Quasar RAT derivative) emphasizing stealth via **memory-only execution** and **HVNC**, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to **Konni APT** (“Operation Poseidon”) abused **Google and Naver ad redirection** (e.g., `ad.doubleclick[.]net`, `mkt.naver[.]com`) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
Mar 21, 2026